Final version of the 6th MaRisk amendment: what banks can expect now

On 16 August 2021, BaFin published the final version of the amended Circular on Minimum Requirements for Risk Management (MaRisk). It contains the national implementation of important guidelines from the European Banking Authority (EBA). In particular, it deals with the handling of non-performing and deferred risk positions, outsourcing agreements and security risks in relation to information and communication technologies. BaFin has also addressed other topics derived from other regulatory initiatives or ongoing audit practice.

Compared to the consultation version of 26 October 2021, adjustments have been made that either better highlight the intended regulatory purpose or better meet the needs of smaller institutions in particular. BaFin provides important information on the background and key points in the letter of transmittal. In addition, all changes compared to the 5th amendment are differentiated into pure clarifications and actual innovations, also with regard to the relevant transition periods. While clarifications apply immediately, there is generally a transitional period until 1 January 2022 for innovations. 31 December 2022 is an exception for the adjustment of existing outsourcing agreements or those currently under negotiation. BaFin will provide separate information on the deadline for converting the risk-bearing capacity concepts to the guidelines of 24 May 2018.

The new requirements pose challenges for Less Significant Institutions (LSIs) in Germany in particular. It is important to implement the new requirements promptly and pragmatically and to integrate them into any existing overarching transformation agenda, including with regard to overall bank management. This is particularly important in times of increasing cost and transformation pressure, as our study on the future of the banking sector shows. We are happy to support you in this and combine our extensive regulatory expertise with our experience in the market.

The sixth MaRisk amendment can be divided into the following subject areas and fields of action:

1. Non-performing and forborne exposures (NPE): The adoption of the EBA guidelines into national supervisory practice follows the principle of proportionality. This means that implementation according to the size, type, complexity and business model of the institutions is permitted. There is a need for extensive action, especially for banks that are particularly affected:

• Design and operationalisation of the strategy for non-performing exposures and corresponding implementation plans for high NPL portfolios, whereby the (quarterly) reporting dates for any exceedance of the 5% ratio are 30 September and 31 December 2021
• Dealing with specialised NPE workout units for NPL ratios of five or more percent
• Standard-compliant implementation of the definitions of NPE and forbearance
• Operationalisation of forbearance in credit and monitoring processes
• Adjustments to the monitoring cycle for collateral and expert rotation for real estate collateral
• Analysing the interactions between recovery periods due to the new definition of default, minimum coverage rules for NPE and additional process and governance requirements for high NPE portfolios

2. Outsourcing agreements: The proposed changes for outsourcing fall short of the far-reaching EBA guidelines in terms of scope and level of detail. This also applies as Germany has already made detailed provisions in this area compared to its European neighbours. This concerns, among other things, the outsourcing of activities and processes (Section 25b KWG). Nevertheless, the topic area is a focus of the MaRisk amendment and opens up corresponding fields of action for banks:

• Review the distinction between outsourcing and other external procurement (definition of outsourcing)
• Expanding the risk analysis to include additional criteria where necessary, paying particular attention to onward outsourcing and adding a scenario analysis where necessary
• Expansion of outsourcing contracts to include minimum content and decision on an approach to approaching service providers for new or existing contracts
• If necessary, sharpening the monitoring criteria for service provider performance to include key risk indicators (KRI) and key performance indicators (KPI)
• Appointment of a central outsourcing officer and decision on organisational location
• Examination of facilitations in groups and alliances along a possibly adapted strategic target image for outsourcing management
• Further development of portfolio management for outsourcing agreements towards an analysable central register and establishment of corresponding reporting and notification processes in accordance with Section 24 KWG as amended by the FISG
• Ensuring the suitability of service providers for the outsourcing of banking transactions requiring authorisation within the European Economic Area and in particular to third countries

3. IT and emergency management: As in the revised version on banking supervisory requirements for IT (BAIT), which was also published on 16 August 2021, there are also specific areas for action in MaRisk:

• Further development of impact and risk analyses as well as scenario analyses
• Quarterly reporting to the management
• Strengthening relevant interfaces (e.g. risk management, IT, service provider management)
• Expansion and adaptation of the test concept in terms of test scope and test frequency

4. Risk-bearing capacity and stress tests: The Bundesbank's special audits already require the aggregation of individually considered non-material risks to be analysed in terms of their overall materiality. BaFin is now also clarifying that a holistic and comprehensive realisation of risk-bearing capacity is expected:

• Prospective review of the risk-bearing capacity concept with regard to the implementation of the new binding approaches (normative or economic perspective instead of the gone-concern or going-concern approaches)
• Check whether the risk-bearing capacity is taken into account accordingly in the strategy
• Adding sensitivity and scenario analyses to the stress test agenda
• Ensuring that relevant data is also maintained with regard to hedging relationships
• Ensuring that risk reporting is up to date and adding information on preliminary and previous quarter data

5. Operational risk: The adjustments relating to operational risks are largely of a clarifying nature and merely supplement existing precautions. BaFin appears to be focussing risk management on a prospective view of potential weaknesses and risks:

• Review of the appropriateness of the procedures with regard to the coverage of the main characteristics
• Reviewing and, if necessary, implementing the recording of collective losses
• Supplementing the operational risk reporting system with regard to material weaknesses and material potential events

BaFin has announced that it will start preparatory work on a 7th amendment as soon as the 6th MaRisk amendment comes into force. This will focus in particular on the implementation of the EBA guidelines on lending and credit monitoring as well as individual aspects of dealing with sustainability risks. It is expected that the 7th amendment will come into force in 2022 and thus follow the current revision of MaRisk in a timely manner.

The areas of action outlined in the 6th amendment show that the banks affected will have to prepare for a complex and time-consuming implementation phase. In addition to the key issues mentioned above, there are a large number of other changes that require the involvement of numerous banking divisions. An efficient approach is therefore essential in order to save relevant resources and avoid costly delays. A phased implementation plan should first address the clarifications mentioned by BaFin, as these must be applied immediately, and then deal with the innovations in the next step.

We provide banks with an efficient implementation package, supplemented by the following benefits:

• We already offer services, particularly for the three key areas of NPL management, outsourcing agreements and IT emergency management. We also provide advice in the broader context of the requirements.
• We have relevant references from the implementation of requirements for both SIs (Significant Institutions) and individual LSIs (Less Significant Institutions).
• We regularly prepare banks for audits ordered by BaFin (in accordance with section 44 KWG) and are therefore familiar with typical points of criticism and findings.
• We have an established programme management and quality assurance system for regulatory implementations.

Please feel free to contact us.